Reddit's hack response causes concern
Social Media Site Reddit has faced data violation, but has refused to disclose its scale.
The site said that in June, it has been found that hackers had compromised many employee accounts to gain access to the database and logs.
They were able to get the user name and related email addresses - information that could make the activity on the site possible with real identities.
Hacker was also able to access encrypted password from a different database of credentials since 2007.
 |
| Reddit's co-founder Steve Huffman has said anonymity is a core principle of the site |
The famous security researcher Troy Hunt said, "This is personally identifiable data, which clearly discloses data violation, why do not you inform people on Earth?"
"In which case it has been mapped to the user name, it is also knowingly exposing the identity behind the unknown account. People should be made aware of it and should be contacted personally."
'Users are not blaming'
Instead, Reddit suggested that the concerned users should search their inboxes to see if they have received "email digest" from the firm between the 3rd and the 17th of June this year - the period for which hackers user activity Were able to get detailed logs on and identify.
Reddit's Chief Technology Officer Christopher Slovay wrote, "If your email address was affected, think about whether there is anything on your Reddit account that you do not want to add back to that address."
Surrey University professor Alan Woodward said that Reddit should do more to protect its users.
Professor Woodward said, "The user has a concept of thinking about whether they have any data or not, they are not related to any address, in fact it is not."
"Do not blame the users."
Reddit said hackers were able to gain access to the firm's information in violation of their measures to protect employees' certificates. This is authenticated access with a text message-based two-factor authentication system. In other words, when the employees used to log in, they had confirmed their identification by entering the code sent to them through a text message.
Hackers, however, were able to block those text messages.
Mr. Slovay wrote, "We have learned that SMS-based authentication is not nearly as secure as we would expect." He said that the company has taken measures to make its system more secure.
'More authentic, more truth'
Reddit said that on June 19, hackers had obtained two datasets.
First user related to data - from May 2007 - Including username, email address and encrypted password. On Wednesday Reddit started informing users who could be included in this dataset.
But this is the second part of the infringement that can affect a lot of people, and there may be serious consequences for those who use reddit under the pseudonym.
Hackers were able to access the logs related to the email digest function of the site, a service that sends a daily email that contains the latest updates of the sections given by the user, which is known as subredit.
These logs included every email digestion sent in a period of 15 days. The important thing is that in the log there is a user's username and related email address - provides hackers with a database, so that the real identity of a person can potentially be searched. These users are not being directly informed by the company.
The use of pseudo-words is described as one of Reddit's greatest powers. Talking to the Atlantic, Reddit co-founder Steve Huffman said: "When people are separated from their real world identity, they can be more authentic, they can be more true for themselves."
Not all users get email screwed, but for those who sign up in the US, the feature is turned on by default. According to its advertising metric of reddit, 20 meters in the United States reddit every day. Its global user base is 330 meters - similar to Twitter
Asked by the BBC, a Reddit spokesperson estimated how many users could be affected. Neither the person will provide a figure about how many users were receiving email digestion at the time of the violation.
The company did not respond to the follow-up question too, to ask for more information about how it is planned to inform users about the risk directly.
No comments:
Post a Comment